Add pluggable ticket secret generators (#1809)

2026-05-14 16:44:06 +00:00 · 2020-10-19 15:00:55 +02:00
parent 6e20f33ef5
commit 22bba28bea
43 changed files with 890 additions and 69 deletions
--- a/src/pretix/api/views/checkin.py
+++ b/src/pretix/api/views/checkin.py
@@ -278,13 +278,23 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
            else:
                op = queryset.get(secret=self.kwargs['pk'])
        except OrderPosition.DoesNotExist:
-            self.request.event.log_action('pretix.event.checkin.unknown', data={
+            revoked_matches = list(self.request.event.revoked_secrets.filter(secret=self.kwargs['pk']))
+            if len(revoked_matches) == 0 or not force:
+                self.request.event.log_action('pretix.event.checkin.unknown', data={
+                    'datetime': dt,
+                    'type': type,
+                    'list': self.checkinlist.pk,
+                    'barcode': self.kwargs['pk']
+                }, user=self.request.user, auth=self.request.auth)
+                raise Http404()
+
+            op = revoked_matches[0].position
+            op.order.log_action('pretix.event.checkin.revoked', data={
                'datetime': dt,
                'type': type,
                'list': self.checkinlist.pk,
                'barcode': self.kwargs['pk']
            }, user=self.request.user, auth=self.request.auth)
-            raise Http404()

        given_answers = {}
        if 'answers' in self.request.data:
@@ -325,6 +335,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
                'position': op.id,
                'positionid': op.positionid,
                'errorcode': e.code,
+                'force': force,
                'datetime': dt,
                'type': type,
                'list': self.checkinlist.pk
--- a/src/pretix/api/views/event.py
+++ b/src/pretix/api/views/event.py
@@ -89,7 +89,6 @@ class EventViewSet(viewsets.ModelViewSet):
            )

        qs = filter_qs_by_attr(qs, self.request)
-
        return qs.prefetch_related(
            'meta_values', 'meta_values__property', 'seat_category_mappings'
        )
--- a/src/pretix/api/views/order.py
+++ b/src/pretix/api/views/order.py
@@ -26,15 +26,18 @@ from pretix.api.serializers.order import (
    InvoiceSerializer, OrderCreateSerializer, OrderPaymentCreateSerializer,
    OrderPaymentSerializer, OrderPositionSerializer,
    OrderRefundCreateSerializer, OrderRefundSerializer, OrderSerializer,
-    PriceCalcSerializer, SimulatedOrderSerializer,
+    PriceCalcSerializer, RevokedTicketSecretSerializer,
+    SimulatedOrderSerializer,
 )
 from pretix.base.i18n import language
 from pretix.base.models import (
    CachedCombinedTicket, CachedTicket, Device, Event, Invoice, InvoiceAddress,
    Order, OrderFee, OrderPayment, OrderPosition, OrderRefund, Quota, SubEvent,
-    TeamAPIToken, generate_position_secret, generate_secret,
+    TeamAPIToken, generate_secret,
 )
+from pretix.base.models.orders import RevokedTicketSecret
 from pretix.base.payment import PaymentException
+from pretix.base.secrets import assign_ticket_secret
 from pretix.base.services import tickets
 from pretix.base.services.invoices import (
    generate_cancellation, generate_invoice, invoice_pdf, invoice_qualified,
@@ -483,8 +486,9 @@ class OrderViewSet(viewsets.ModelViewSet):
        order = self.get_object()
        order.secret = generate_secret()
        for op in order.all_positions.all():
-            op.secret = generate_position_secret()
-            op.save()
+            assign_ticket_secret(
+                request.event, op, force_invalidate=True, save=True
+            )
        order.save(update_fields=['secret'])
        CachedTicket.objects.filter(order_position__order=order).delete()
        CachedCombinedTicket.objects.filter(order=order).delete()
@@ -1298,3 +1302,26 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
                auth=self.request.auth,
            )
            return Response(status=204)
+
+
+with scopes_disabled():
+    class RevokedSecretFilter(FilterSet):
+        created_since = django_filters.IsoDateTimeFilter(field_name='created', lookup_expr='gte')
+
+        class Meta:
+            model = RevokedTicketSecret
+            fields = []
+
+
+class RevokedSecretViewSet(viewsets.ReadOnlyModelViewSet):
+    serializer_class = RevokedTicketSecretSerializer
+    queryset = RevokedTicketSecret.objects.none()
+    filter_backends = (DjangoFilterBackend, OrderingFilter)
+    ordering = ('-created',)
+    ordering_fields = ('created', 'secret')
+    filterset_class = RevokedSecretFilter
+    permission = 'can_view_orders'
+    write_permission = 'can_change_orders'
+
+    def get_queryset(self):
+        return RevokedTicketSecret.objects.filter(event=self.request.event)